Cybersecurity

Conditional Access Policies for Microsoft 365

17/05/2026 · 4 min read

Not All Logins Should Be Treated Equally

A staff member logging in from their managed laptop in your office is a different risk to someone logging in from an unknown device in another country at 2 AM. Yet without conditional access, both logins are treated identically — same username, same password, same access. Conditional access policies in Microsoft 365 let you apply different requirements based on the context of each sign-in attempt.

What Conditional Access Does

Conditional access evaluates every sign-in against a set of conditions and applies controls based on the result. Conditions include user identity and group membership, device platform and compliance status, location (IP address, country), application being accessed, sign-in risk level (detected by Microsoft Entra ID Protection), and client application type.

Controls include requiring MFA, requiring a compliant device, blocking access entirely, limiting access to browser-only (no downloads), and requiring terms of use acceptance.

Practical Policies for SMEs

Require MFA for all users: The baseline policy. Every user must complete MFA when signing in. This single policy blocks 99.9 per cent of credential-based attacks according to Microsoft’s own data.

Block legacy authentication: Older email protocols (POP3, IMAP, SMTP with basic auth) cannot support MFA and are a common attack vector. Block them. Modern email clients do not need them.

Require compliant devices for sensitive applications: Access to SharePoint, Teams, and email from managed, compliant devices only. Unmanaged devices get browser-only access with no ability to download files.

Block access from high-risk countries: If your business only operates in Australia, block sign-ins from countries where you have no staff or operations. This eliminates a large volume of credential attacks that originate overseas.

Require MFA for risky sign-ins: Microsoft Entra ID Protection detects anomalous sign-in patterns — impossible travel, unfamiliar locations, anonymous IP addresses. Configure a policy that requires additional verification when risk is detected.

Protect admin accounts: Require MFA and a compliant device for all admin sign-ins. Consider requiring phishing-resistant MFA (FIDO2 security keys or Windows Hello for Business) for privileged accounts.

Named Locations

Define your office IP addresses as “trusted locations” in Entra ID. This allows you to create policies that are less restrictive when staff are in the office (where physical security provides an additional layer) and more restrictive when they are remote. For example, you might allow single-factor authentication from the office but require MFA from any other location.

Device Compliance

Conditional access is most powerful when combined with device management through Microsoft Intune. A compliance policy defines the minimum requirements for a device — encryption enabled, firewall active, operating system up to date, endpoint protection running. Conditional access then checks compliance before granting access. A non-compliant device is blocked or given limited access until the issue is resolved.

Report-Only Mode

Before enforcing any conditional access policy, deploy it in report-only mode first. This shows you what the policy would have done without actually blocking anyone. Review the report-only results for a week or two to identify any unintended impacts — a contractor using a platform you did not account for, a business application using legacy authentication, or a staff member who needs access from a location you planned to block.

Common Mistakes

Locking out your own admin accounts by applying a policy without an exclusion for break-glass accounts. Always maintain at least one emergency access account excluded from conditional access policies, with a strong password stored securely offline. Applying too many restrictions too quickly without communicating changes to staff. Rolling out device compliance requirements before ensuring all devices are enrolled and compliant.

Configure Conditional Access

Conditional access is one of the most effective security controls available in Microsoft 365, and it is included in Business Premium and higher licences. Contact TechAssist to configure conditional access policies tailored to your business.

← Previous Microsoft 365 Migration for Melbourne SMEs: A Step-by-Step Guide for 2026 Next → Microsoft 365 Support Melbourne: What's Included, What's Optional, What You Pay Extra For

Related Articles

Ready to Make IT Your
Competitive Advantage?

Book a free consultation with our team. No pressure, no jargon — just a clear-eyed look at where you stand and what's possible.

Enquire Now → Get a Free IT Health Check Call 1300 028 324